TID 95187 is not on my signature list

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

TID 95187 is not on my signature list

L5 Sessionator

Hi,
The question is related to following vulnerability: https://security.paloaltonetworks.com/CVE-2024-3400

 

In this it said "Recommended Mitigation: Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682)."

 

However, when I update content signature to the latest ( which is 8833-8682 ), and then try to create new vulnerability profile with specifying 95187 only, it does not shows me 95187.

 

2024-04-12 18 05 53.png

With ID range, the result is as below

2024-04-12 18 06 54.png

 

I'm sure there is ID 95187 because I can check via CLI.

 

admin@PA-410> show system info | match app-version
app-version: 8833-8682
admin@PA-410> show threat id 95187


This signature detects malicious payload in HTTPS request.


critical
Unknown
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention

admin@PA-410>

 

 

NOTE:  I can replicate this condition with other platforms too.

 

How can I create this vulnerability profile for mitigation?

 

 

1 accepted solution

Accepted Solutions

L5 Sessionator

This is a GUI issue.
Once Applications and Threats content version 8833-8682 was installed, the signature (TID: 95187) is available on the firewall.

 

The severity of the signature is "Critical" and the default action is "reset-server". So, if you clone the strict/default vulnerability profile, or if you follow the best practice, then the signature is effective (enabled).
https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-inter...

 

To fix the GUI issue, please try the followings and see if it works.
1. Go to "Device" -> "Dynamic Update" -> find the content version 'previously' installed -> "Revert"
2. Then, revert back to 8833
3. Refresh the browser page. (or try using another browser)

View solution in original post

16 REPLIES 16

L1 Bithead

I see the same thing.
Can someone confirm if this is is just cosmetic?

Because if you can't individually select the Threat ID, to me the question becomes:

 

If you create a Vulnerability Policy with the action 'reset-server' for ALL 'high' & 'critical' threat IDs, will the profile hit this 'hidden' threat or not?

L5 Sessionator

Even I don't know this is cosmetic issue or not, I could find the way to show TID 95187.

Try following:

1. create sample profile from CLI. sample command is as below

# set profiles vulnerability "sampleconfig" threat-exception 95187 action reset-both

2. go back to your GUI. you can reuse "sampleconfig" profile or delete it if you don't need, then edit your existing profile with TID 95187

 

Even I could configure it, I still curious this protect my GP Gateway (hope this is cosmetic issue)

L1 Bithead

Thanks,

I can confirm your workaround works on a firewall (it didn't on the panorama)

 

It does look cosmetic but I have no way of testing it.

So, to be sure I went ahead and disabled Telemetry.

L5 Sessionator

This is a GUI issue.
Once Applications and Threats content version 8833-8682 was installed, the signature (TID: 95187) is available on the firewall.

 

The severity of the signature is "Critical" and the default action is "reset-server". So, if you clone the strict/default vulnerability profile, or if you follow the best practice, then the signature is effective (enabled).
https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-inter...

 

To fix the GUI issue, please try the followings and see if it works.
1. Go to "Device" -> "Dynamic Update" -> find the content version 'previously' installed -> "Revert"
2. Then, revert back to 8833
3. Refresh the browser page. (or try using another browser)

L3 Networker

Tried on 2 different FWs.. same issue.. even the release notes does not state the threat ID

I've tried with the revert to the previously installed version and then got back to the 8833 and it didn't work in PAN-OS 10.2.7-h3 (I can't see the 8833 signatures in the GUI)

 

I could check in the GUI in a PAN-OS 10.1.6-h7 and the Threat ID is visible in the Vulnerability Profiles after receiving the 8833.

 

The TAC analyst indicates me the 8833 signatures are not visible in the GUI of 10.2 and above, and the way to confirm is the output of "show threat id 95187".

 

However, as some of you wrote in this post, I hope that is just a cosmetic issue because we don't know how can find out if it's working.

Did you also refresh the browser page or try another browser?
I could make it work in PAN-OS 10.2.7-h3.

You're right , I've tried some minutes ago and I can see the 95187 signature in PAN-OS 10.2.7-h3

L0 Member

running 11.1.2 and cant see the ID in pan or the firewall gui.

L1 Bithead

We see the required Vulnerability ID in all PA Firewalls that have at least A&T version 8833-868. Ultimately, this can be added to the policy already protecting a GPVPN Zone...although, having a Universal, new, Sec. Policy at the top, encompassing this CVE, might not be a bad additional protection layer.

 

CENSS01_1-1712938167822.png

 

CENSS01_2-1712938741857.png

 

L1 Bithead

I tried the following, and it work for me.

1. download > install 8833-8682
2. download > install / revert to 8832-8674
3. Revert to 8833-8682

Tin Kanitin

A good review. 👌 Although, we cannot see a reason to have "revert" A&T version as suggested to see the required CVE ID?  The A&T version encompassing the required ID for this CVE, is already part of the latest, the only latest, A&T version available (as far as we can see in various support portals and Firewalls).  If the PA is set to better practices, such as download & install A&T every 30-45 minutes (except for environments that needs to test all A&T versions before deployment), the CVE ID in question should already be available without any required "fix" or "revert."  In fact, if the ID is missing, a manual install would be needed if the installed A&T version is not the latest shown .... as it seems to be the only latest A&T as of 11:00 PT today....so, if it's not already there, it should be installed, not reverted.

 

From the support portal:

CENSS01_1-1712946793327.png

 

From a PA Firewall:

CENSS01_2-1712946900898.png

 

 

 

L0 Member

We noticed this problem also on PanOS 10.2.6. We were able to see the Threat ID when opening a new in-private browser instance or having a colleague check for it. Seems to be cosmetic.

L1 Bithead

I had this issue on 10.2.7-h3, I installed 8834-8684 which came out yesterday and now its showing up in the Panorama Web GUI.

  • 1 accepted solution
  • 9081 Views
  • 16 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!